Android Digital Signature and packaging

Android Digital Signature Learning Note Posted on2010-01-17 18:38Feisky Reading (20834Reviews4) Edit Favorites

In an Android system, all applications installed to the system must have a digital certificate that identifies the author of the application and establishes a trust relationship between the applications, if a permission ProtectionLevel is signature, Then only applications that have the same digital certificate as the program where the permission resides can get that permission. Android uses a Java digital certificate-related mechanism to give the APK a digital certificate, to understand the digital certificate of Android, you need to first understand the following digital certificate concepts and Java digital certificate mechanism. The Android system requires that every application installed into the system is signed with a digital certificate, and the private key of the digital certificate is stored in the programmer's hands. Android uses digital certificates to identify the author of an application and to establish a trust relationship between applications, not to determine which applications the end user can install. This digital certificate does not require an authoritative digital certificate signing Authority authentication, it is only used to make the application package self-certified.

multiple programs of the same developer use the same digital certificate as much as possible , which provides the following benefits.

(1) in favor of the program upgrade, when the new version of the program and the old program's digital certificate, the Android system will think that the two programs are different versions of the same program. If the new program and the old version of the digital certificate is not the same, then the Android system think they are different programs, and create a conflict, will require the newly-created program to change the package name.

(2) facilitates the modular design and development of the program. Android allows programs with the same digital signature to run in one process, and the Android program treats them as the same program. So developers can develop their own programs into modules, and users only need to download the appropriate modules when needed.

(3) Data and code can be shared across multiple programs through permissions (permission). Android provides a digital certificate-based permission-granting mechanism that allows applications to share overviews or data with other programs to those that have the same digital credentials as themselves. If the ProtectionLevel of a permission (permission) is signature, this permission can only be granted to programs that have the same digital certificate as the package in which the permission resides.

When signing, you need to consider the validity period of the digital certificate :

(1) The validity period of the digital certificate should include the program's expected life cycle, once the digital certificate expires, the program that holds the digital certificate will not be upgraded properly.

(2) If multiple programs use the same digital certificate, the validity period of the digital certificate will include the expected lifetime of all programs.

(3) Android market enforces that all application digital certificates remain valid until October 22, 2033.

Android Digital certificates include the following points:

(1) all applications must have a digital certificate and the Android system will not install an application without a digital certificate

(2) The digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature Authentication

(3) If you want to formally publish an Android, you must sign the program with a digital certificate generated by a suitable private key , rather than using the ADT plugin or the debug certificate generated by the Ant tool to publish.

(4) Digital certificates are valid , and Android only checks the validity of the certificate when the application is installed. If the program is already installed on the system, it does not affect the normal functionality of the program, even if the certificate expires.

(5) Android uses standard Java tools Keytool and Jarsigner to generate digital certificates and to sign application packages.

(6) Use the zipalign optimization program.

Android does not install an APK program that runs without a digital signature, either on the emulator or on the actual physical device. Android's development tools (ADT plugin and ANT) can help developers sign the APK program in two modes: Debug mode and Release mode.

In debug mode, Android's development tools use a debug digital certificate to sign the program each time they compile, and developers don't need to worry about it.

When you want to publish a program, developers need to use their own digital certificate to sign the APK package, there are two ways to do it.

(1) Use the Keytool in the JDK (for generating digital certificates) and Jarsigner (for signing with digital certificates) on the command line to sign the APK package.

(2) Signing with ADT Export Wizard (if no digital certificate may be required to generate a digital certificate).

using Keytool and Jarsigner to sign programs

Command:keytool-genkey-v-keystore android.keystore-alias android-keyalg rsa-validity 20000

In this command,-keystore Ophone.keystore represents the generated certificate, which can be added to the path (by default in the user home directory), and-alias ophone means that the certificate alias is the RSA algorithm used by the OPHONE;-KEYALG RSA representation ;-validity 20000 indicates that the certificate is valid for 20,000 days.

At this point, we'll see Ophone.keystore in the Interoperable home directory, which is the certificate we just created.

The program is then signed:

jarsigner usage : [options] Jar file Alias
jarsigner-verify [options] Jar file

Execution:jarsigner-verbose-keystore android.keystore-signedjar android123_signed.apk android123.apk Android you can generate a signed apk file, enter the file android123.apk, and eventually generate android123_signed.apk for Android signed apk execution file. The following prompts enter the same password as the Keytool input. (But in my JDK directory did not find Jarsigner this program, do not know what is going on)

signing using the ADT Export Wizard

Application (APK) signature, in EC, right-click Application Engineering, select

Select the storage path of the certificate, fill in the relevant information, complete, you can generate the signed APK file. As shown in the following:

As shown, we can see that you can also select "Create New KeyStore" Here to create a certificate. Enter the password, click Next, fill in the relevant information, as shown in.

using zipalign to optimize APK

According to the official documentation, the application data in the Android system is stored in its apk file and can be accessed by multiple processes, including the following steps:

• Installer Get permissions information associated with the current application through each APK's manifest file
• Home application Read the current APK name and icon information.
• System server will read some information related to application operations, such as obtaining and processing application notifications requests.
• Finally, the APK contains content that is not limited to the current application and can be called by other application to improve the reusability of the system resources.

The most fundamental purpose of zipalign optimization is to help the operating system more efficiently according to the request index resources, will resource-handling code unified data Structure alignment (data structure alignment standard: DSA) limited to 4-byte Boundaries. Without the alignment criteria, the processor cannot accurately and quickly locate related resources in the memory address. The current system uses the fallback mechanism mechanism to handle applications that do not have the DSA standard, which makes it much easier for ordinary developers to focus on cumbersome memory operations. But on the contrary, for such an application will give ordinary users a certain amount of trouble, not only affect the efficiency of the operation of the program, but also the overall performance of the system to reduce the efficiency and consumption of unnecessary memory resources, and even consume a certain amount of battery resources (battery life).

command line mode manual optimization :

• Use the Zipalign tool under the Tools folder. First bring up the cmd command line, then execute:zipalign-v 4 source.apk androidres.apk. This method is not limited by the API level and can perform align optimizations on any version of the APK.
• You can also use the Zipalign tool to check if the current apk has performed align optimizations. Command:zipalign-c-V 4 androidres.apk

automatic optimization using ADT:

• Starting with the ADT 0.9.3 release, you can automatically perform align operations on the published application packages through the Export Wizard. Setup method: Right-click Project and select "Android Tools" > "Export signed Applicationpackage ...".

In summary, you can use Keytool, Jarsigner, zipalign to sign the program and optimize the program, which requires three different tools:

Keytool-genkey-v-keystore android.keystore-alias android-keyalg rsa-validity 20000

Jarsigner-verbose-keystore Android.keystore-signedjar android123_signed.apk android123.apk Android

Zipalign-v 4 android123_signed.apk android123_signed_aligned.apk

Of course, you can also use the ADT plugin in the export signed application package ... To execute, the graphical interface is more simple, image, and intuitive.

From for notes (Wiz)

Android Digital Signature and packaging